On 2014-11-06 09:43, helpcrypto helpcrypto wrote:
Hi
Anders: as you seem to have the decisive voice in here, since our last talk,
what has changed?
Hi helpcrypto,
I have no decisive power here, I only aired my opinion and have also tried (in
vain so far...) making folks aware of the quite different projects that are on
the table.
Combining these projects is something I wouldn't do since for example ISO 7816
and the WebCrypto API have no clear relationship.
As you know, I'm of the opinion that is better to keep smartcards as secure
elements where keys can be stored, than throwing all to the recycle bin.
In our case we have a JavaCard, so we could even stablish a mutual trust
channel between server and card for population process. Older cards are
probably a bigger problem ;)
It's true that PKI doesnt support "key usages for specific domains", something
FIDO does. Does anyone know a way to implement this using traditional PKI?
Can you imagine/describe a secure/valid scenario where smartcards are one
possible secure keystore for a PKI cert, being possible to auth+sign documents
using Javascript? (do it with all the effort/strengh of your imagination!!!)
I'm probably not the right person to ask...since we IMO are still waiting for a
credible write-up on how to use EMV-cards on the web which seems like a
suitable task for the card industry.
It appears that Microsoft may be on to something that could be useful for you:
http://www.w3.org/2014/10/30-crypto-minutes.html
Cheers
Anders
Sanjeev: AFAIK, FIDO group is not open neither open to community participation.
IIRC, there was a possibility of loading a FIDO applet inside my
Javacard+requesting a PIN to login, even a RAW/APDU spec.
As FIDO is not PKI based, will that mean I have to dump what I already have?
(millions of certs from different CAs used by millions of users to auth and
sign documents?
Actually we do this using an awful applet, and thats what we want to avoid.
Perfect is the enemy of good. Perhaps we should reach an agreement-solution.
PS: Virgine (): based on your experience, does people from the Webcrypto WG
have anything to say related to this? I know smartcards were out of scope. were
the different viewpoints the reason? do they 'like' the idea of including
smartcards on spec? Do manufacturer/providers/vendors/big actors have something
to say? is FIDO what they say?
Regards
